Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!mnetor!seismo!vrdxhq!BMS-AT!stuart
From: stuart@BMS-AT.UUCP (Stuart D. Gathman)
Newsgroups: net.unix-wizards
Subject: Re: chroot(2) security
Message-ID: <233@BMS-AT.UUCP>
Date: Wed, 1-Oct-86 20:05:42 EDT
Article-I.D.: BMS-AT.233
Posted: Wed Oct  1 20:05:42 1986
Date-Received: Fri, 3-Oct-86 11:54:31 EDT
References: <158@itcatl.UUCP> <113@nonvon.UUCP>
Organization: Business Management Systems, Inc., Fairfax, VA
Lines: 16
Summary: Could be fixed

In article <113@nonvon.UUCP>, apn@nonvon.UUCP (apn) writes:

> 	write a program that changes the root directory to /mnt23/user/test
> 	and then procedes to exec /bin/login

	On our system, login only has execute permission for root.
But, one can link in the 'su' command! Even if the /bin directory is
execute only!  The resulting superuser process could then *modify* the
su program to allow a special root password after leaving the chroot process.
(Otherwise, even the root process could not access anything below the new
root directory.)

I believe that 'su' is the only problem.  Take away 'su' and you can give
them 'chroot'.  ('newgrp' is similar but not as bad.)
-- 
Stuart D. Gathman	<..!seismo!{vrdxhq|dgis}!BMS-AT!stuart>